a4apphack

In this part of the Secfox series, we will be discussing about the addons that can help us during the app security assessments which involves cookie analysis and manipulation.

These addons can be of huge help when we perform the type of tests mentioned below.

• Cookie Prediction
• Session Fixation
• Cookie Persistence/Expiration
• Broken Session Management

Traditional Method

We use a proxy interceptor like Paros/Burp/WebScarab to trap the HTTP requests and modify the values during its transit. For this to happen, we need to setup a proxy and ensure that it listens to the browser traffic. An additional step is required if the application uses an SSL connection, i.e. to store the Proxy’s forged certificate in the browser. The intercepted request enables us to add new cookies or modify the existing ones. We can also check when exactly are the cookie values issued and whether it is getting flushed upon session expiration.

Usage of Addons

We have various addons for firefox which makes the tasks mentioned above easier. Certain addons allow to view the cookies stored in the browser and others allows us to edit it. The advantage – we don’t need any proxy to do this job, we can view/edit from the browser itself.

1. View Cookies

This addon adds a tab in the ‘Page Info’ box available on the Firefox context menu.

View Cookies Addon

Download Link:

2. Add N Edit Cookies

This addon integrates a Cookie Editor to firefox. This also allows us to edit the attributes of the cookie.

Add n Edit Cookies Addon

Download Link:

Read the rest of this entry »

Project management is not a easy job which can be accomplished just with paper and a pencil. What we need is an app which helps you to track the issues, display timelines, collaboration and easier access to required information. Any Project Management app will be utilized by all the team members and maximum productivity is ensured only if that app guarantees collaboration. This leaves us with the only option, an online project management tool.

ClockingIt Screenshot

ClockingIt is a web based app which allows users to manage their project online. It has all the features needed for getting things done and to smoothly run the project. Apart from the ‘must have’ features like issue tracking and charts, this app features email notification, forums, chat etc which helps the users to communicate and share the info at a centralized location.

Read the rest of this entry »

Dropbox allows users to store, share and sync their files across multiple computers via multiple sources. The sync is transparent and continuous. The best part is the process runs in the background and it consumes very less amount of RAM.

Dropbox download is available for Windows, Mac and Linux.

Setting up Dropbox is very easy. We need to install dropbox, then

1. Create a Dropbox account.
2. Specify the Dropbox location in your PC (All the files and folders are sync’d with your online dropbox)

Read the rest of this entry »

Tutorial 3 – Deriving the logic of the generated key to create Keygens

Enter any test string to get the error message.

Search for the referenced text strings and locate the message displayed in the error box. After analyzing the text references we find that there are no hardcoded keys or presence of any fragments of keys.

We have Double click to open the CPU window and set breakpoint by pressing ‘F2′

Check whether there are any new strings generated at the CPU window (and trust me you wont find any ). Now check the memory stack and scroll to the instruction where the userid we have entered is displayed. If you scroll a bit down you can find a ‘Key Like’ string below the userid string. Try to enter that in the key field, it should work.

There is no point in finding out the key without understanding the logic behind the generation of the key. Once if we find the logic, we can reverse engineer and create a distributable keygens.

We can segregate the userid and corresponding key values as follows

t – D8
e – C9
s – D7
t – D8
e – None
r – None

Now open ‘calc’ in scientific mode – Select Hex mode – Type D8

Select Dec mode to convert HEX value to Decimal.

Note down the corresponding Decimal value for each HEX equivalent.

Now open any asciichart and note down the ascii value for the userid chars.

We can notice a difference of 100 between the converted HEX value and ascii value of the userid.

So we can derive the logic to create our own Keygen

Logic Sequence

1. Take the 4 four characters of the username
2. Convert chars to corresponding decimal value
3. Add 100 to the decimal value obtained in step 2
4. Covert this to HEX and the Key is obtained!

CrackMe App Download : Alt:

Video

Conclusion: Always use a multilevel, complex logic to derive your own key. Always advised to use any standard encryption algorithm to generate the key used for comparison.

Note: The apps used in the tutorials are downloaded from the DeathSpawn Website (Not working anymore ) and detailed ‘How-to’ is can be read from the text file which is present along with the app package.

References

• OllyDbg Homepage – http://www.ollydbg.de/
• Death Spawn OllyDdg Tutorials – http://www.geocities.com/imdeathspawn/ (Doesn’t seem to work now)
• ASCII Chart – http://www.asciichart.com/
• UPX packing utility – http://upx.sourceforge.net/

Tutorial 2 – Finding generated key at runtime

Enter any test data and observe the error message displayed.

Search for referenced text strings as mentioned in Tutorial-1. Scroll to the location shown below.

Notice the 2 ‘Key like’ strings in the text strings referenced. If you think that one of them is valid, then you are wrong, but then why and where is it used? And what is the correct key? We can find that out soon.
Double click the message ‘The serial you entered is not correct’ to reach the instruction location in the CPU window. When we analyze the code we come across a few concatenations operations. But unfortunately the keys are concatenated with blanks and finally compared with the user input.

The blank values you see in the comments are not really blank ones. They values are assigned on runtime. We have to set a breakpoint to obtain the dynamic assigned value.

To set a breakpoint, select the instruction and press ‘F2′. Breakpoints highlighted in red over the memory location.

Press the ‘Play’ button to run the crackme application. Enter any random data and click the ‘Check’ button. The application pauses at the breakpoint set in the previous step. Go to the same location where you saw the 2 suspicious ‘Key Like’ strings in the previous step.

Just before where the breakpoint was set we can find a new long string value displayed instead of blank strings which was displayed earlier. If you reverse engineer now, you can understand that the 2 Keys ‘L2C-5781‘ and ‘4562-ABEX‘ are static ones and are prefixed and suffixed, respectively, with a dynamically generated string. This is what we were looking for; the correct key to this app.

CrackMe App Download : Alt :

Video

Conclusion : Never hardcode even fragments of static keys which can be helpful to deduce the complete key. Use some kind of logic to generate a dynamic key value.

OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows. This machine level debugger is created by Oleh Yuschuk for the 80×86. OllyDbg traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings. These features can be utilized to understand how an application internals.

Introduction

Ollydbg mainly has 4 windows in the default layout. CPU Window, Registers, Memory Stack and HEX Dump window. We will be working on CPU window most of the time.

OllyDbg Download :

A set of 3 tutorials illustrated here explains on how effectively can OllyDbg be used to identify the security holes and to ensure that the code written is healthy.

Read the rest of this entry »

OpenDNS is a service which provides parental control solution by filtering the sites based on the URL entered by the user. OpenDNS can be easily setup by replacing the DNS nameserver provided by the ISP to the OpenDNS specific one. By changing the settings as in when required we can switch from direct connection/OpenDNS and vice versa. But this might be a tedious task to go and change the LAN settings when one might want to do it frequently. Let us find a work around for this.

Read the rest of this entry »

Get snapshots of the internet pages you cannot access to, by just sending an email. If you don’t have access to internet but can use your corporate email; these service serves its best. This might also be helpful for those who want to take a peek at the sites blocked by their network admins.

Read the rest of this entry »